#!/bin/bash
# The following may be heavily borrowed from, if not
# copied from, the NSA's December 20, 2007 "Guide to the
# Secure Configuration of Red Hat Enterprise Linux 5, Revision 2"

# Title - Setting Lockouts for Failed Password Attempts

#Initialize variables
export PRECHECK="grep -P '^auth\s+required\s+pam_unix.so\s+nullok\s+try_first_pass|^#auth\s+requisite\s+pam\_succeed\_if\.so uid >= 500 quiet|^#auth\s+required\s+pam\_deny\.so' /etc/pam.d/system-auth"
export QUESTION="Would you like to lock out accounts after a number of incorrect login attempts?"
export DESCRIPTION="Locking out user accounts presents the risk of a denial-of-service attack. The security policy regarding system lockout must weigh whether the risk of such a denial-of-service attack outweighs the benefits of thwarting password guessing attacks."
export SOLUTION="sed -i -re 's/(auth\s+)sufficient(\s+pam_unix.so\s+nullok\s+try_first_pass)/\1required\2/' /etc/pam.d/system-auth; \
sed -i -re 's/^(auth\s+requisite\s+pam\_succeed\_if\.so uid >= 500 quiet)/#\1/' /etc/pam.d/system-auth; \
sed -i -re 's/^(auth\s+required\s+pam\_deny\.so)/#\1/' /etc/pam.d/system-auth;"
